IT Security Measures

B.

In general, IT security measures are tailored according to an organization's unique needs.

While numerous factors, such as the overriding mission requirements, and guidance, are to be considered, the fundamental issue is the protection of the mission or business from IT security-related, negative impacts.

Because IT security needs are not uniform, system designers and security practitioners should consider the level of trust when connecting to other external networks and internal sub-domains.

Recognizing the uniqueness of each system allows a layered security strategy to be used - implementing lower assurance solutions with lower costs to protect less critical systems and higher assurance solutions only at the most critical areas.

The more complex the mechanism, the more likely it may possess exploitable flaws.

Simple mechanisms tend to have fewer exploitable flaws and require less maintenance.

Further, because configuration management issues are simplified, updating or replacing a simple mechanism becomes a less intensive process.

Security designs should consider a layered approach to address or protect against a specific threat or to reduce a vulnerability.

For example, the use of a packet- filtering router in conjunction with an application gateway and an intrusion detection system combine to increase the work-factor an attacker must expend to successfully attack the system.

Adding good password controls and adequate user training improves the system's security posture even more.

The need for layered protections is especially important when commercial-off-the-shelf (COTS) products are used.

Practical experience has shown that the current state-of-the-art for security quality in COTS products does not provide a high degree of protection against sophisticated attacks.

It is possible to help mitigate this situation by placing several controls in series, requiring additional work by attackers to accomplish their goals.

Source: STONEBURNER, Gary & al, National Institute of Standards and Technology (NIST), NIST Special Publication 800-27, Engineering Principles for Information Technology Security (A Baseline for Achieving Security), June 2001 (pages 9-10).

Answer B, "Be tailored to meet organizational security goals," is the correct choice among the options given.

IT security measures should be designed to meet the specific needs and goals of the organization. The security measures should be appropriate for the types of risks and threats faced by the organization, and the measures should be designed to mitigate these risks.

For example, a financial institution will have different security requirements than a small retail business. The financial institution will require more stringent security measures to protect sensitive financial data and transactions, while the retail business may have fewer security requirements.

Additionally, security measures should be designed with the organization's overall goals in mind. For example, if an organization's goal is to be more mobile and flexible in its operations, security measures should be designed to allow for secure remote access to the organization's systems and data.

Furthermore, security measures should be continually reviewed and updated to ensure they remain effective and aligned with the organization's goals and needs. This is especially important as technology and security threats continue to evolve.

In contrast, option A, "Be complex," is not necessarily the best approach. Security measures should be designed to be effective, efficient, and manageable. Overly complex security measures can be difficult to manage and may actually increase the risk of security breaches.

Option C, "Make sure that every asset of the organization is well-protected," is an unrealistic goal. Organizations have limited resources, and it may not be feasible or cost-effective to protect every asset equally. Instead, security measures should be designed to prioritize protection of the most critical assets and systems.

Finally, option D, "Not be developed in a layered fashion," is also incorrect. A layered security approach is considered best practice in IT security. This involves implementing multiple layers of security controls, such as firewalls, intrusion detection systems, and antivirus software, to provide a more comprehensive defense against threats.